Hey, we've got some people coming in. All right, good afternoon, everybody. Thank you so much for being here. This afternoon I'm delighted to have the team from Varonis here. We have Guy Melamed and Brian Vecci, Guy, obviously, the COO and CFO of Varonis, and Brian being the field CTO. Brian, Guy, thank you so much for being here.
Thanks for having me.
Thank you. And as a brief programming note before I begin, for important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. And with that, I thought I would just start off level set. You know, we might have some new faces in the audience. Brian, maybe if you can give us an overview of Varonis. You guys are unique in the cybersecurity space in that you sit at the intersection of data and security. So maybe just walk us through kind of, yeah.
Sure. So, for those that are new, we're a security software company. Our software protects data. If you think about cybersecurity as layers of an onion, there's perimeters, there's devices, there's identity. We sit at the data. We help organizations know what data they have and what's important and where it is. These days you've got data on premises; you've got data in the cloud. We monitor it and we protect it automatically by making sure that data's not exposed to people and applications that don't need it. And if something ever does happen, you know about it quickly and can respond to it quickly.
Great. Very clear. Guy, maybe talk a little bit about the last, you know, Q4. You obviously had a really strong Q4 to cap off the year. Can you go through some of the things that drove the strength that you saw and just the prioritization level towards data security?
I think in order to kind of understand where we are and even talk about Q4, just to point out that at the beginning of 2023 we announced the transition to SaaS, in which we're providing the offering through a SaaS solution which is a much better product. And it's actually evolving much quicker than we initially thought. The progression of the transition is happening quicker. We are seeing new customers adopting this, but also existing customers are embracing this and asking to convert to switch from the on-prem subscription offering to the SaaS offering. And that's happening in a natural way. We can talk more about that. I think in Q4 we saw very good adoption of both new and existing customers. I think what's exciting about where we are today is there are a lot of tailwinds that are working in our favor.
We can talk about that as well. It's the SEC Cybersecurity Regulation that was recently introduced. We're talking about Copilot with the risks that that is generating to companies that are trying to kind of move in that direction. And we are there to help. And also, a new offering that we came out with that we're now charging money for. We actually did that in 2023 with an incident response team. And now there's an MDDR offering, the Managed Data Detection and Response team, where we're actually charging customers for the fact that we will alert them if anything abnormal happening. So, they can save on kind of the headcount that they need from their security team and reallocate those resources. And we're in a very unique position.
I think you know, a lot of things are working in our favor and we're gonna try and capitalize on that.
Got it. Yeah, a lot of tailwinds. I definitely wanna dig into this. Brian, did you have something to say? I'm sorry.
No, no, no.
Okay. All right. So maybe just before I go into that, you know, last year at the beginning of last year the macro was still a bit challenging. You talked about stabilization in the back half. What are you seeing so far in 2024 and kind of what's factored in your guidance from a broader macro perspective?
So we saw in the second part of 2023 the headline that we put to the macro environment was stabilization. We're seeing that. We haven't seen the macro worsen. We haven't seen it improve. We are still seeing longest sales cycles and more deal scrutiny on every purchase. I don't think it relates to security per se. I think it's any software purchase requires additional signatures to put pen to paper. But I think in where we are in the environment that's surrounding kind of with hacking being more challenging, a significant increase in the number of hackings going on, and also the risk of having insiders be exposed to sensitive information that they shouldn't have access to is allowing us to benefit from the justification for the purchase. And I think what we have done is simplify the conversation with customers.
Not only have we moved in the direction of consolidation of SKUs where you don't have to go line by line on, on purchasing, but we're talking about outcomes. You need to buy this package in order to protect your organization. And that's working really well. And on top of that, when you think about kind of the MDDR offering and the fact that we are moving towards automation and simplification with the customer where all they need to do is pay and we will let them know if anything abnormal happening, it's very similar going back to kind of the way Brian described us.
We're trying to do, and I think what we're doing very well is alerting customers just like credit card companies will send you a text whenever there's an abnormal purchase and all you need to do is click yes or no whether it's you or not. We do the exact same thing, but we do it with data. And the reason we can do it with data is because we can identify who's opening files, who's touching files, who's deleting files.
and when you enter someone's taken over an account and logs in at 2:00 A.M., with a laptop that the organization doesn't recognize with an IP that's associated with a nation that shouldn't have access to that account and they're opening 10,000 files when they usually open 100 files, and those files that they're opening are the most sensitive files that the organization has, that gives full visibility that something abnormal happening. And that's why I think we have the capability to provide so much value to our customers in protecting data.
Definitely a lot of secular tailwinds there. I think the thing that we're, many of us are probably most excited about is around generative AI. So, Brian, I'll shift the question to you. I cannot have a conversation with the CIO or CISO about GenAI without talking about data security and governance. How do you protect these models? How do you deploy them in a secure way? Can you talk a little bit about, number one, where does Varonis sit within that AI landscape as far as whether it's getting your data ready or post-deployment? And what are you seeing today from a pipeline perspective? And maybe I'll shift to you, Guy, here, around some of these GenAI deployments as it relates to your business.
It's a big set of questions.
Yeah.
And you kind of set it up really well in that any conversation about GenAI or LLMs or productivity tools like Copilot is a conversation about data, right? That's what all of this technology is built on. So, when an organization is either planning to build internal LLMs to train data that are worried about the protection of that data, the security of it, they wanna make sure that only the right data is in those corpuses, and in those training sets. They wanna make sure that only the right people and especially applications have access to it. They wanna monitor it to make sure that nothing inappropriate is happening with that data. I've just described everything that Varonis does to protect that data.
Similarly, lots of enterprises are exploring productivity tools like Microsoft Copilot or Salesforce Einstein GPT, which can make their knowledge workers dramatically more productive but exploit all of the open access and sensitive data being available to people who don't need it and in the wrong place that we know every organization faces. These Copilots and other productivity tools that are based on LLMs can really create a massive amount of risk very, very quickly. We help solve that problem quickly as well.
So just to touch yeah, you wanna touch on how that's baked into guidance. I think it also ties to your previous question on macro and guidance. So, we talked a lot about the tailwinds that we're seeing, whether it's—I mentioned before—the SEC cybersecurity regulation, MDDR, Copilot. All of those are tailwinds that we've really never seen before. From a guidance perspective, because all of those are very new, we haven't baked in any positivity as part of our guidance. We wanna see how this translates into data that we track. And then obviously we'll be happy to update things throughout the year as we see them progress. From a macro perspective to tie back to the previous question, we kind of assume the stabilization continues throughout 2024.
I think from a guidance perspective, we kept the same philosophy that we've had in previous year, where we don't bake in any positivity before we see it translate into the numbers for us.
Just to put a cap on that, any company exploring generative AI needs to protect their data. There is no way to protect data at scale like using Varonis. Any company that's looking at AI needs us.
I'll reemphasize that. Every company needs to protect data whether they're using AI or not.
Mm-hmm.
Using AI actually puts a huge spotlight on the risks that they have because one of the things that we've seen is that people now put in the whole thing into the text box who received the salary increase in 2023. They'll get the list immediately, which is scary from an organization's perspective. We saw traders on the floor that actually clicked into the Copilot, the list of all the 401(k)s of the entire employee organization. They got that list immediately. So, the risks when you think about it are huge. Copilot just makes it scarier in seconds for the organizations. They need to ensure that they're thinking about data before they actually roll it out.
Yeah. It goes to my next question. When you think about the ramp of this, right, obviously it's still early days. There's sales cycles to everything. You guys have a big ad marketing initiative kind of centered around Is your organization Copilot ready?
Mm-hmm.
So is this gonna be something that is gonna happen, you know, pre-deployment of Copilot and these GenAI tools? Or do you think it's gonna happen more after the fact when, you know, customers do have that, "Oh, dang, moment. My data's exposed"?
Probably gonna be a combination of both. But the number one reason that companies aren't widely deploying Copilot is because of privacy and security. They don't have a way to solve the problem. With us, in a month you're ready to go. Everything's locked down. It's automatic. We have MDDR watching your data, looking at the Copilot prompts, making sure that you're properly protected. So I think thoughtful organizations, the ones that put security at the top of their list, are going to be using Varonis before they deploy Copilot. That said, there's always gonna be situations where a company gets burned and then they're gonna come back later to try to fix the problems that we knew were probably there.
What just to add to that, one of the things that we're seeing is that the Copilot is definitely coming up in, in conversations with customers. But we haven't seen it deployed in mass scale, and that's definitely something that we're closely monitoring. I think eventually that it, it happens. It's just, I think organizations wanna make sure that they understand the consequences of how their data looks before they do it.
Got it. Couple more AI questions. And then I kind of wanna open up the audience 'cause it's such a big topic. You announced a partnership with, or you expanded your partnership with Microsoft around, you know, security and Copilot. Can you, one, go into a little bit more detail there, Guy, just, you know, what are sort of the high-level economics of that? What are you helping to solve?
So, we've had the long-lasting partnership with Microsoft for many years now. But I think when you look at kind of the Copilot initiative that's happening as we speak; we've actually strengthened our partnership with Microsoft. They are actually we've come out with a press release where Microsoft is quoted talking about kind of the risks of implementing Copilot without taking care of your data. And they actually mentioned that Varonis is a way to solve that. And I think it speaks volumes in terms of the partnership there. There's also a lot of marketing initiatives together that we do with them. But I think when you look at kind of the opportunity, it's not just with a Copilot. It's just the environment itself that's becoming riskier and riskier for customers. And we wanna try and capitalize on that.
And then, Brian, you know, why would a customer want a third-party, you know, independent data security vendor versus maybe going to the LLM provider of Microsoft to do the data security for you?
'Cause there's nothing that does what we do. That, I mean, that's the simple answer. There's no way to get to the outcomes where data's not available to people who don't need it, that sensitive data's properly protected, that you minimize the time to detection and time to response for a threat, and that you can prove that you're compliant and that all your data's properly labeled to DLP works. There is no platform provider. There is no built-in tool that will solve those problems. That's why they'd come to us.
I know there's probably questions in the audience. So wait for a mic. Oh, we got a question in the corner here. Wait for the microphone. Sorry.
That is most unique. Oh, thanks about what Varonis does. Is it the heterogeneity of the data sources? Is it the response time, the fact that you encapsulate data versus individual apps? I mean, which could you go into that a layer deeper just to make sure we understand?
Sure. I think the right way to think about what makes Varonis unique is that we're the only way to not only identify where there is sensitive data to, to your point, across a variety of data sources and applications on-premises and in the cloud. We're the only way to do that at scale. Then we're the only way to lock things down. So what we find whenever we look at data, whether it's in Microsoft 365 or on a file system or in an application like Salesforce or GitHub or in cloud infrastructure like Amazon or Azure, we find data in places that it's not supposed to be, but it's accessible to people and applications that aren't supposed to have access to it. 40% of the data inside a company is open to literally every single employee. There's no way to solve that problem.
So when I talk about outcomes, what we mean is you deploy Varonis. Not only do you know where you have problems, but we fix them automatically. And all the while, to use Guy's analogy, we're like the credit card company watching your statements. We're looking at every data touch, every time someone accesses something or creates it or shares it, anytime someone uses Copilot and creates a prompt that might be risky. And our team with MDDR is looking at all of those behaviors and all of those alerts. So when something goes wrong, we call you. There's no other way to do that.
When you think about how critical it is to make sure that your data is secure in a world where you're using generative AI-based tools and building LLMs that are presumably extremely valuable to you, if you don't get to those outcomes, if you don't secure your data, and you don't reduce the time it takes to detect and respond to a threat, the company is at far greater risk than probably you even realize.
Got it. Thank you. And also, just a quick follow-up. I was curious how often, at least to date, it gets more complicated with GenAI. But how often do the external threats look like, Guy's example, meaning somebody from another country, you know, 2:00 A.M. accessing tens of thousands of files, whatever the case is? I mean, just how often is that the case versus something that's more?
Probably more often than you realize. But it's not just external nation-state actors. It's internal threats. There was a hospital system in North Carolina. We called them to let them know that a person on their IT team was looking at salary data in their HR directories before going into their annual reviews. We found a major U.S. city where their water system was currently under attack by a ransomware group trying to lock it down so that they would get paid. It's cybercriminals. It's insider threats. It's nation-state actors. It's also just people making mistakes. And with generative AI, you have more data than you ever had before. It's more valuable. And the tools for both insider threats and outside threat actors are more powerful than they've ever been. So, the answer is probably more than you realize.
Thank you both. Yep. Got it. Thanks.
Oh, we got one more question here.
Thank you. So, from the demand side, as you guys said, right, where when it comes to GenAI and Copilot, it's coming up in every conversation, the need for security. From the supply side, you guys as you said, Brian, it's sort of the only game in town.
Mm-hmm.
The question is, like, what opens up that floodgate, right, like, in terms of why, you know, when do we see that step function up, where or what, what breaks what, you know, what, what are the catalysts that breaks that inertia, in getting CIOs to just start deploying some of these tools?
So, I think when you look at the guidance and I'm going back to the guidance. We didn't bake in any of that inflection point happening within the year. Obviously, if we see things progress in that direction, we'll update throughout the year. But that's been our philosophy. I think when you look at the Copilot and it's not just Microsoft. I think that's an important emphasis as well. Everyone is going in the direction of improving productivity. And when you look at kind of the big organizations, whether it's Salesforce that's coming out with Einstein or Google or even some of the other big companies that I don't think will leave this field untouched, it puts that emphasis and the risk on data being exposed. And that's why we've kind of we wanna be there.
I think MDDR, with the simplicity that it provides, customers and the value that it can provide them with, securing data and alerting them if anything abnormal happening, is a big change in the way we talk to customers. The conversation is much simpler. The value that we can provide them is much greater. And that's all we've been trying to do for the last couple of years, focus on automation, consolidation in terms of the providing them outcomes and not necessarily different, separate SKUs. And that's just part of what we've been trying to do for quite some time.
Do you think thank you. Do you think that deployment timeline, whether it's Microsoft Copilot or Einstein or, you know, whatever, would you be disappointed if that was not a 2024 event? Or do you think that's kind of more a 2025 event when we see that industry deployment happen?
So, there's a lot of tailwinds that are working in our favor. And therefore, I'm not putting all of the eggs in one component, whether it's Copilot. I think the MDDR and the ability to go to customers and provide them that automated component of the software is a big deal that's in our control. I think the Copilot, if I had to be a betting man, would drive, you know, it will get to a point where there is mass distribution 'cause its Microsoft. And I think there's a lot of value in the productivity gains that it provides employees. But like everything, you wanna see it happen first. And then you make the adjustments. We're ready for it to start now. But if it takes longer, we're there.
We're not going anywhere.
Maybe let's talk about some of the other many tailwinds of your business, beyond GenAI. MDDR, you mentioned that a few times. One, maybe just high-level, what is that? What drew you to introduce that offering?
So it's something we've been doing for quite some time, with our SaaS offering. We had a proactive incident response team that would go to customers and have conversations with them about trying to analyze whenever something's happening that's abnormal. What we're doing right now is just, for that same service, trying to charge money and extract more dollars from customers. But we're doing it with a signed SLA that has a 30-minute ransomware alert. So obviously, it's a win-win for the customers as well because they get that SLA in place. It's when you think about 30 minutes, it's best in class in the industry. So, it's definitely something that, we're happy to provide customers. But I think it changes kind of the whole way the security team has to deal with a Varonis product because now, they can put, resources into other focus areas.
And all they need to do is pick up the phone when we call them if there's any abnormal behavior. And in a way, it's just a no-brainer for new customers. But it's also value that we can provide our existing customers when they convert from on-prem subscription to SaaS. And we have it as a bundle where we either extract dollars by selling MDDR separately or it's part of a bundle where if you buy additional licenses, you'll get MDDR at a reduced price. Either way, we don't care. As long as we can extract more dollars from the customers and provide them the value that I think we do with the MDDR, it's a win-win for everyone.
And then when you think about packaging the service, you know, roughly, what kind of uplift could this be to existing deal sizes?
So, it's very early on. We just introduced it a couple of months ago. Still early for me to put a number there. But as I said in my previous answer, we're trying to extract more dollars either through sales of additional licenses or by selling the MDDR at a higher price. The one important thing is that MDDR, we're not trying to be a service-type company. This is very much driven by automation in the software where the alerting and the capabilities allow us and kind of the goal of where we see this happening is that MDDR service will be software-type like margins. I think we can do that with the capabilities of the software. That's where we've kind of had the focus.
And really, just switching the proactive incident response team that did that in 2023 to the MDDR service in 2024 where we can charge for it and give those customers the SLA with a 30-minute ransomware. That's really the biggest difference.
Is it weird to think about? Is it almost like a retainer within a subscription contract where you know, a portion of that contract will be ascribed to MDDR?
We're selling it as a package.
Right.
You need the software in order to get that service. You're not gonna get that service without buying all the licenses. And the licenses is what a lot of the automation within the license is what gives you the capabilities to do this. But now, we would just call you up if we see anything abnormal and make sure that you take care of it. It's important for everybody to realize that there's no MDDR without Varonis SaaS. We couldn't have done this in a self-hosted model. And you we can't offer this service unless a customer has Varonis deployed. And the more Varonis they have deployed, the more valuable the MDDR is because you've got us looking at Windows data, and you've got us looking at 365.
Why wouldn't you want us to call you if something happened inside Salesforce or inside Amazon or inside Azure or inside Google? So, the more data you have, the more applications you have, the more valuable the MDDR is, the more opportunity we have to deploy Varonis in those places.
Got it. That's a good segue to talking about the SaaS transition a little bit. Varonis, you know, has been around for a while. Congratulations on 10 years as a public company recently. So, the SaaS product, you spent a couple of years developing it. You were very thoughtful about it. I think over $100 million were spent to develop the product. And you really started to launch and sell it early last year, a little bit late 2022 as well. Can you talk about the benefits of SaaS, Brian, around you being able to cover more data sources, you being able to offer more services like MDR? What is sort of the benefit from a product standpoint, from a functionality standpoint to Varonis?
If you think about the self-hosted model, the old kind of old model, if we wanted to develop either support for a new data store, an application, even a new NAS platform, or we wanted to offer more functionality like new automation, or even new AI classification patterns or threat models, we would have to package that up, get it out to our customers. They'd have to install it, upgrade their environment. We'd have to go through testing. We'd have to go through rings of customers as we deployed this. A single feature or a single new data store that we supported might take months or up to a year or more for us to get to all of our customers. In the SaaS world, all that goes away. We develop something new. We push it to all of our customers immediately as soon as it's ready.
We can have development teams working in parallel so we can have multiple innovations going on at the same time. Our customers don't have to. We don't have to worry about the sizing of their environment, the databases, and the infrastructure. All that goes away because we're handling that on the SaaS side. So, all of the friction for innovation, all of the friction for our customers getting value goes away for the most part. And that's why it's a better product. We had 15 major press releases last year for new features and functionality, major features and functionality, which is more than in the 10 years in the years prior combined. It's a complete game changer for us from a technology standpoint.
Let's talk about the SaaS benefits from the company's perspective.
Mm-hmm.
There's a lot of productivity that we can generate through the SaaS offering. There's a lot of leverage in there. We expect sales cycles to be shorter through the SaaS offering, just by the introduction to customers. And kind of the whole risk assessment process is much simpler. We expect renewal rates to be higher and better. And I think MDDR can actually help that as well because it makes the product stickier. Not that, you know, our renewal rates over 90%. But I think even if we can get increased percentage points there, it's beneficial. And obviously, when you think about kind of the benefits from a modeling perspective in the P&L, we've been managing two types of code, the on-prem subscription and the investments that we've done with SaaS. Look a couple of years ahead.
I'm not talking about 2024 or 2025. A couple of years ahead, we'll get to a point where you don't make the same investments in the on-prem subscription. Maybe all your focus is on the SaaS. You get significant gains from an R&D perspective, by managing one type of code only. From a customer success perspective, PS support, the number of tickets with SaaS customers that have SaaS has gone down significantly compared to customers that have on-prem subscription because we can fix things automatically through SaaS. We don't have to go to every individual customer and do it separately. There's a ton of benefits for the organization in the SaaS selling. It works well. The customers get a much better product. We have the benefits in the financial model and the leverage going ahead.
Yeah. As far as the ROI delivered to the customer, Brian, talk us through sort of the infrastructure and headcount savings they may have when they move to a SaaS product.
The infrastructure, for the most part, goes away. You don't have to worry about databases. You don't have to worry about analysis servers. You don't have to worry about hardware. That's true for the risk assessments. We can get in faster. We can deliver value much faster. Because we've been able to innovate so much more quickly in SaaS, there's automation in the SaaS platform that never existed and will never exist in the self-hosted platform. That's how we can get you safe and ready to deploy Microsoft Copilot in a matter of weeks. That it would be impossible in the old world. So, from a customer perspective, they spend less time deploying it. They spend less money on the infrastructure. They spend less time operating it, a 90% reduction in support tickets. They get more automation. So, they're able to get to these outcomes faster with less effort.
They get MDDR and proactive incident response. It's a massive amount of value. One way to think about it is our customers are getting 10 times the value with 10% of the effort.
Yeah. And that guy puts, the uplift that you spoke about, about 20%-30%, I believe, ASP uplift when you move to SaaS, seems like that's more than justified by the, by the cost savings. So, is there a potential to get maybe more uplift? Or are you trying to incentivize the customer to buy more products?
There's two things to address, with that question. I think, first of all, when we talk about apples to apples, the same number of licenses on-prem to SaaS, it's that 25%-30% uplift. But we have seen customers when they convert, when they move from on-prem to SaaS, they actually are moving to a much larger platform purchase. So, the actual uplift is higher than that 25%-30% uplift. That's one component. The other component is that it's very important to note that even with that uplift that customers are paying, the total cost of ownership for them is lower. So, they're saving money. Now, do you make that uplift higher with from a price list perspective? Probably not because there's so much more for us to sell that you can extract more dollars by additional platform protection that you provide.
I think we've done that very well in the past. With the MDDR, I think we can increase the additional dollars we get from customers as well. There's a lot of ways to extract more from customers. We're just trying to tie it together with additional value we provide them.
Yeah. And the SaaS transition has been progressing, I think, much better than you thought. It's around 20% of total ARR now, I believe.
23, yeah.
Talk to us, you know, why that was, why you saw success maybe exceed beyond your expectations. And how are you thinking about now going after the existing customer base, not just the new? Is that starting to also, you know, convert as well?
Number one reason it's moving quicker is because it's a better product. That's first and foremost. I don't think we'd be able to move as quickly as we have if customers wouldn't understand the benefits of it, see the power that it has, that and then see our existing customer base request to move to SaaS because they see the value. So, we got to 23% at the end of 2023 because a large portion in dollar terms actually asked to convert to SaaS, which wasn't really part of our plan when we introduced kind of the SaaS offering. In our investor day in March of 2023, we talked about two phases. Phase number one would be focusing on new customers. Then phase two would be kind of focusing on the existing customers and asking them to convert to SaaS.
We actually saw that happen throughout the year in a very natural way. We didn't put the focus on it. We saw customers come and ask to move. We saw reps that would benefit from the uplift, they retired quota on anything that was on top of the renewal. So, if we sold $100,000 of on-prem subscription and now they converted a customer, and now they bought at $130,000, the $30,000 went towards their quota. So, this kind of evolution that happened in a very natural way was beneficial for both the customers and both for us. That's how we got to 23%. When we're talking about phase two and the focus on converting customers, we just in the last earnings call reduced the period of, kind of the time to we would transition from five years to four years.
We see that happening quicker because of all the things I've mentioned. Focusing on phase two will happen throughout this year, probably more of a focus towards the second part of this year. But then we see acceleration not only within the year but within every single year going forward. So, we expect 2025 conversions to be at a much higher number than 2024 and then 2026, higher than 2025. And I think that kind of as we look at that, at that focus, we wanna get we kind of define the transition being complete when we get between 70%-90% of our ARR coming from SaaS. I think we have the ability to provide value to customers and get them to convert to SaaS, which would be beneficial for us from a financial perspective as well. So, I think it's all working kind of in the right direction.
Do you foresee maybe considering any additional incentivization to convert that existing base? Or is it just happening more naturally? You let it fly?
So, this was a kind of a question, that we contemplated throughout the year. When I'll say that initially in 2023, when we just introduced the transition, the thought process was that we would put additional incentives in order to make reps focus on the conversion. But because we saw it happen in a natural way throughout the year, it didn't make sense to throw money, quote-unquote, in places that are happening naturally. And we wanted to make sure that we use our resources in the right way. So, the reps are definitely benefiting from the conversions because they get the uplift towards their quota. There are carrots and sticks in the commission plan that would allow us to drive that behavior. If we see it continue to happen in kind of the natural way that we've seen, then there would be no need to make any adjustments.
But if we do need to make adjustments, we will. So far, I think the focus and the benefits are clear. And it's happening in a natural way.
Got it. Couple of questions on profitability. I'll open up to the audience again. But what I've been surprised by is the margin leverage in the last couple of quarters, despite the fact that you have some headwinds on reported revenue because of the SaaS transition. Can you talk a little bit about what's driving that? And then when you're looking at assessing efficiency and margin progression during a SaaS transition, what are some of the metrics that, as investors, we should be looking at?
When we did the investor day, we talked about 3 North Stars, ARR, ARR contribution margin, and free cash flow. Those, for us, are the most important metrics in order to gauge the health of the business. Revenue for the next couple of years would be nonsignificant in identifying the strength of the business just because of the way the revenue recognition is recognized with on-prem subscription versus SaaS. So ARR, ARR contribution margin, and free cash flow. I think one of the things that I'm most proud of that we've done as an organization is increase our free cash flow so significantly, even during the first year of a transition because, obviously, there is additional investments that you have to to put into play when you make a transition of this sort. Our free cash flow ended at roughly $54 million for 2024.
And our guidance for in 2023 and the guidance for 2024 is to be between $70 million-$75 million free cash flow, where in 2022, it was roughly break-even. So I think one of our philosophical ways of running the business was always to try and grow it, top line, ARR improvement, but at the same time, bring some of it to the bottom line. And I think the ARR contribution margin has shown significant improvements. And on top of that, start generating cash in a more meaningful way. The margins of the SaaS offering are very, very healthy, actually better than we initially expected. That's helping to drive some of the free cash flow that we're seeing there and the ARR contribution margin. It gives us a lot of room to make investments in other places that are very beneficial.
When we look at the opportunity today and where we sit today compared to previous years, I think the long-term opportunity actually increased, which is part of the reason we're putting money to work in terms of our guidance when you look at the expense side for 2024. But the highlight is we wanna grow, bring some of it to the bottom line, and improve cash generation.
Any other questions from the audience?
Good. Thanks. What informs your view that the natural trajectory of uptake you're seeing is an ongoing phenomenon versus early adopters? And also, I'd just ask, what are the penalties in the event you don't meet the SLAs? And have you embedded that into your outlook?
So, when you look at kind of the progression of the existing customers moving to SaaS, the one thing to keep in mind is that we have incentivized reps to sell on-prem subscription with a 3-year deal. And when you do that, not all of the customers would convert prior to the renewal coming to an end. And therefore, from conversations that we have with customers, even ones that are locked in in kind of the renewal period, many of them and I'd say it's a natural transition to move to SaaS. I'd say the only customers that aren't moving to SaaS are state and government right now because they're waiting for the FedRAMP certification, which we're putting a lot of time and money and effort to try and get that. Apart from that, customers want the better product.
So that gives us the confidence that we can get there. It's just the conversations that we have. In terms of the SLA, obviously, there are legal items within the contract that give us the protection. But we understand that we're putting out a period there. 30 minutes is very short. I think it's a testament of how we feel about our product and the value that it can provide customers. But we do have the language in place for protection.
Thank you.
All right. Well, thank you, Arun, for joining us. Really exciting days ahead for Varonis. Thank you, Guy and Brian and everybody for coming.
Thank you.